Drupal — Secure and Latest Versions

As a courtesy to our customers, we maintain a list of recent versions and the important security updates for Drupal. Generally, the most current version of your CMS is the most secure, but if you have an older version of your CMS, it can be hard to find information on whether your version is secure or not.

Bookmark this KB, and we will continue to update it with the most current secure version information.

What is the latest secure version of Drupal?

Drupal 8.5.2 — Security Fixes

Drupal 8.5.2, with this version this is considered a minor release of Drupal 8:

Drupal 8.4.4, with this version this is a patch release of Drupal 8 by fixing the following listed issues resolved:

[PHP 7.2] count() parameter must be an array or an object that implements Countable. Drupal 8.4.4 still has one remaining critical bug on PHP 7.2 which will be fixed by Drupal 8.5.0, to be released March 7 2018.

Drupal 8.4.3, with this version this is a patch release of Drupal 8 by fixing the following listed issues resolved:

Important: If you have not already upgraded to 8.4.0, read the Drupal 8.4.0 release notes before upgrading to 8.4.3. Drupal 8.4 includes major version updates for Symfony, jQuery, and jQuery UI and is no longer compatible with older versions of Drush.

Drupal 8.4.0, with this version comes multiple bug updates included from previous versions of Drupal 8.3 including: file usage tracking, configuration export sorting, revision data integrity fixes, and other critical improvements. With this release however, if you are a Drush user you will need to update to version 8.1.12 before upgrading to Drupal 8.4.0. It should also be mentioned that with Drupal 8.4.0 Internet Explorer 9 and 10 are no longer supported. You can view this information in the changelog here. You can view the release notes by going here.

The full release announcement can be found here, and the specific vulnerabilities addressed can be found in the security update breakdown here.

Drupal 8.3.0 — Version Feature Update

Drupal 8.3.0, with this version comes multiple modules added to the core of Drupal including the following Workflows, Layout Discovery, and Field Layout. Other changes to this version of Drupal can be found here in the changelog. You can view the release notes by going here.

The full release announcement can be found here, and the specific vulnerabilities addressed can be found in the security update breakdown here.

Drupal 8.2.7 — Security Update

Drupal 8.2.7 has snuck in before the planned 8.3.0 update, despite the previous 8.2.6 patch being the last planned update in the 8.2.x series. This update includes a handful of security updates, however the most severe of them are fixed in the SA-CORE-2017-001 release. It should be emphasized that the Drupal Security Team "strongly recommends" users update their Drupal 8.x sites to 8.2.7 to close these security vulnerabilities.

Updates in this patch include security fixes for an Access Bypass issue in the editor module that allowed access to private files (rated "critical"), a Cross-Site Request Forgery (CSRF) issue with admin paths not being protected with a CSRF token (rated "moderately critical"), and an issue with a third-party development library that could allow for remote code execution (also rated "moderately critical").

The full release announcement can be found here, and the specific vulnerabilities addressed can be found in the security update breakdown here.

Drupal 8.2.6 — Maintenance Update

Drupal 8.2.6 is the last scheduled release of the 8.2.x series. Drupal 8.3.0 is scheduled to push April 5, 2017. The Drupal 8.2.6 maintenance release addresses an issue where stale dependencies passed to onDependencyRemoval() result in data loss on uninstallation, an update to Symfony components to ~2.8.16, new JavaScript test methods, and multiple minor issues. For more information on the Drupal 8.2.6 update, see the official release notes here.

Once Drupal 8.3 is released, sites should update in order to receive continued bug and security fixes.

Drupal 8.2.5 — Maintenance Update

Drupal 8.2.5 is a maintenance and bug fix patch only. There are nearly three dozen fixes in this update; however they are all relatively minor (in the scheme of site development). There are no security issues or new features in this patch. For a complete list of the bug fix breakdown, consult the official release notes for the Drupal 8.2.5 update here.

Drupal 8.2.4 — Maintenance Update

Drupal 8.2.4 is a maintenance and bug fix patch only. The regression REST in Drupal 8.2.x has been addressed, entity query allows to specify entity type ID for reference fields has been fixed, and the md_entity destination plugin has been deprecated. You can read about these additions, and other bug fixes in 8.2.4, by consulting the official patch notes here.

Drupal 8.2.3 — Security Update

Drupal 8.2.3 is an important security update to the Drupal 8.x series. Users of the Drupal 8 platform are encouraged to upgrade immediately after consulting the patch notes for further information. This update includes multiple vulnerability fixes that are ranked as "Moderately Critical" by the Drupal Security Team. The update for SA-CORE-2016-005 fixes multiple vulnerabilities, chiefly a "denial of service via transliterate mechanism" exploit and one where "confirmation forms allow external URLs to be injected."

Note that beginning with this release, the Drupal code team says "packaged Drupal releases no longer contain development PHP libraries." For more information on this update, and the additional security issues addressed, read the official patch notes here.

Drupal 8.2.2 — Maintenance Update

Drupal 8.2.2 is a maintenance patch containing assorted bug fixes, including: taxonomy autocompletion fixes, entity destination ID schemas, and D7 link field instance settings not migrating, among others. Note that while "there are no known regressions in this release," the Drupal Team does still caution users in being aware of multiple Drupal 8 issues that exist when updating "on specific hosting environments."

It is recommended that you consult the version control changes fully before making any large-scale changes to your site that may be affected by these regression errors. Full information on the 8.2.2 maintenance update can be found in the official release notes here.

Drupal 8.2.1 — Security Update

Drupal 8.2.1 is another update in the vein of version 8.2.0, where multiple critical bugs are addressed. According to the release notes, this update addresses an issue where "Blocks do not appear after being placed with the Rules module enabled," along with an issue where a bundle could lose the ability to have content created on it. More information can be found in the official release notes here.

Drupal 8.2.0 — Security Update

Drupal 8.2.0 is an important update that contains multiple bug fixes and maintenance updates, including nine "critical bug fixes," many of which most users would consider severe security issues. One of these fixes addresses a major issue in the platform that would completely break IIS Drupal deployments (SA-CORE-2016-003). To read a full breakdown of these issues and critical fixes, see the official release notes here.

Drupal 8.1.9 — Maintenance Update

Drupal 8.1.9 is a minor release containing minimal updates and bug fixes. This will be the last planned release of the 8.1.x series. Users and admins should be advised that version 8.2.0, when released, may contain important security updates. For more information, read the official release notes here.

Drupal 8.1.8 — Maintenance Update

Drupal 8.1.8 is a maintenance update for the 8.1.x series. This are no security fixes in this release. Drupal 8.1.8 is a stability update with several minor changes, tweaks, and bug fixes. There are no new features in this update. Note that there are still several issues that can affect people running — and attempting to update from — Drupal 8.1.6. For a complete list of bug fixes, or to check into the other known issues mentioned above, consult the full Drupal 8.1.8 release notes here.

Drupal 8.1.7 — Security Update

Drupal 8.1.7 is a security release that addresses the discovery of a major security vulnerability found in the Drupal 8 PHP third-party library Guzzle that could result in a fatal site error. While this is "technically" not part of Drupal core, this third-party module is usedinherently by Drupal 8. It is a distinction the Drupal team is hammering in the release notes of the SA-CORE-2016-003 vulnerability report; however, if it is required for Drupal 8, that distinction makes no difference to end-users. More information can be found in the Drupal 8.1.7 official release notes here.

Drupal 8.1.6 — Maintenance Update

Drupal 8.1.6 is a maintenance-only update; it contains only bug fixes, documentation, and testing improvements. This update resolves a small (but headache-inducing) error that could occur in some cases when updating to Drupal 8.1.5. In the words of the official release notes: "When updating from versions 8.1.3 or earlier without first emptying the /core and /vendor folders it was possible to run into a fatal error due to code that should have been removed being executed (when following the standard update procedure you should not run into this issue). Otherwise this release is identical to 8.1.5." For more information, read the official release notes here.

Drupal 8.1.5 — Maintenance Update

Drupal 8.1.5 solves the error (noted below) that was made when version 8.1.4-dev was intended to be pushed to production. The update only contains bug fixes, and is identical to Drupal 8.1.4 as it solves the naming scheme issue with that release. For more information, read the official release notes here.

Drupal 8.1.4 — Maintenance Update

Drupal 8.1.4 is a maintenance release for the Drupal 8.x series. This update resolves several issues in the 8.1.x series, including an issue where some Apache configurations may have issues with serving public files, as well as some per-commit testing for MySQL 5.7.9 or MariaDB 10.1.8, and multiple other small fixes. Please note, that due to an error in the release processes and documentation, this release recognizes itself as "8.1.4-dev" rather than the normal, production naming scheme of 8.1.4. For more information, read the official release notes here.

Drupal 8.1.3 — Security Update

Drupal 8.1.3 is a security update for all pervious versions of the 8.x series prior to 8.1.3, as well as all previous versions of the 7.x series prior to 7.44. This update fixes a security vulnerability rated at 11/25, and classified as "moderately critical" by the Drupal Core team. According to the official security release, "An access bypass vulnerability exists in the Views module, where users without the 'View content count' permission can see the number of hits collected by the Statistics module for results in the view." For more information about this security update, read the official release notes here.

Drupal 8.1.2 — Maintenance Update

Drupal 8.1.2 is a maintenance patch for the Drupal 8.x series. This release contains bug fixes, documentation, and testing improvements. There are no security patches in this release. In addition to the usual collection of minor fixes, this update fixes an issue where the Text Editor module would fail to track usage of images uploaded in some cases, an issue where DataEntityRow didn't respect translations, as well as improvements to the update manager and Twig template variables with certain results. For more information, read the official release notes here.

Drupal 8.1.1 — Maintenance Update

Drupal 8.1.1 is a stability patch for the recent 8.1 release. This release contains bug fixes, documentation, and testing improvements. There are no security patches in this release. In addition to several minor fixes, this update addresses an issue where the TaxonomyIndexTid Views plugin stored selected terms with the ID instead of UUID, as well as clarifying a concern with the url.path cache context for breadcrumbs being unnecessarily granular. For more information, read the official release notes here.

Drupal 8.1.0 — Feature Update

Drupal 8.1 is the first large feature release for Drupal 8 (although the team quickly dials it back to a "minor version" feature update, despite the chosen numbering scheme for this release). New improvements are added that do not (should not) affect public APIs. Further improvements have been made to the admin/help page's flexibility, CKEditor, installation providers, multiple API improvements, and views that now provide a rendered entity field handler (similar to the functionality of Drupal 7's.) For more information, read the official release notes here.

Drupal 8.0.6 — Maintenance Update

Drupal 8.0.6 is the last scheduled patch release of the 8.0.x series. This release includes minor bug fixes and maintenance in preparation for the release of the 8.1.x series. Notably, this resolves a regression where themes were unable to implement hook_element_info_alter() under certain conditions. Please note that the Drupal Team has outlined the following issue: "Installs on php-fpm environments may see fatal errors on enabling modules" — the release notes contain more information on this issue and others; those can be read here.

Drupal 8.0.5 — Maintenance Update

Drupal 8.0.5 is a maintenance release only and contains no security fixes. Multiple bugs and issues are fixed, including issues with book module breadcrumbs, image fields, and certain instances that incorrectly generated 404 errors. For a full list of these fixes, see the official release notes here.

Drupal 8.0.4 — Security Update

Drupal 8.0.4 is a security update that addresses multiple vulnerabilities in the 8x series. Notably, this fixes vulnerabilities with a "file upload access bypass and denial of service" within the file module, and the potential for brute force amplification attacks in certain conditions. For more information, read the official release notes here.

Drupal 8.0.3 and Drupal 7.42 — Maintenance Update

Drupal version 8.0.3 and 7.4.2 have been characterized by the Drupal team as "maintenance releases with numerous bug fixes." These are maintenance releases only; there are "no security fixes." Drupal 8.0.3 "contains bug fixes and documentation and testing improvements only." While the update for 7.42 has a handful of minor feature tweaks and simple bug fixes. For more information, read the official release announcement here.

Drupal 8.0.2 — Maintenance Update

Drupal 8.0.2 is a release containing only "bug fixes, along with documentation and testing improvements." Two critical issues were fixed, one involving the LocaleConfigManager and another with a breaking-issue in the logo image settings form. For more information on the changes in 8.0.2, read the official release notes here.

Drupal 8.0.1 — Maintenance Update

Drupal 8.0.1 is the first patch since the release of Drupal 8; as such it contains only bug fixes. There are no mission-critical or security updates in this patch. However, if you have updated to Drupal 8, it is recommended that you make this update to iron out some of the identified bugs. See a full list of changes since 8.0.0 in the official notes here.

Drupal 8.0.0 — Major Feature Update

The long-awaited Drupal 8 has finally arrived with so many features and updates we can't list them all. The official release page boasts the tagline: "Drupal: Build something amazing," and promises more than 200 new features and improvements to the Drupal platform. Dive into the detailed announcement page here.

Drupal 7.90 — Security Update

Drupal 7.90 is a security update that addresses critical fixes "to OpenID spec violations that could allow for impersonation in certain scenarios." Additional fixes include files getting lost when adding multiple files to multiple file fields at the same time, improvements to the clean URL test screens, restored height/width attributes on images run through the theme system, and several other fixes such as CSS and token issues addressed. For more information, read the official release notes here.

Drupal 7.80 — Maintenance Update

Drupal 7.80 is full of "bugfixes and small API improvements." There are no security fixes in this patch. New forum maintainers have been added, the error with UpdateTestContribCase fails has been addressed, file load problems have been fixed, a shortcut maintainer has been added, and hook_menu()'s documentation has been corrected, among other minor additions and fixes. Note that if you are upgrading from Drupal 6 to 7.7, there are multi-language site issues that may need addressed or rolled-back. Check the release notes for information on that issue. For full updates, check the official release notes here.

Drupal 7.70 — Maintenance Update

Drupal 7.70 is an odd one in the Drupal scheme. The complete release notes state, "This release is just Drupal 7.6 with a fixed VERSION string. That's it. Oops. :(" That is really the only information in the official release notes, which are here.

Drupal 7.60 — Maintenance Update

Drupal 7.60 is an uncharacteristic jump in numbering for the Drupal 7.x series. Made more odd by the fact that the last update for the 7.x series was also a leap in version numbering (the 7.50 features update), this next jump to 7.6 is a maintenance and bug fix only. With the items addressed in this update, we would fully expect it to follow the more traditional version numbering and be identified as 7.51. With no new features, and only minor bugs and maintenance fixes, it seems odd to classify this one as a 7.6 update.

This update includes the security fixes that were already present in 7.50, as well as maintenance updates and bug fixes to the 7.5x release. Why this isn't identified as 7.51 is anyone's guess. Don't let the numbering fool you, this is a minor update with a handful of maintenance areas identified. Don't look for any major changes here. For more information, you can read the official 7.6 release announcement here.

Drupal 7.50 — Features Update

Drupal 7.50 is a jump in the release numbering system, but is packed full of new features to make the point-update actually mean something. There are several bug fixes in this update; however, there are no security fixes. We recommend diving into the official release notes to see all the new Drupal goodness, but a few of the highlighted new features include: new "administer fileds" permission added for trusted users, protection against clickjacking enabled by default, support for full UTF-8 (your emojis and mathematical symbols will now look great. <3 ), improved support for recent PHP versions, improved support for PHP 7, improved search engine indexing for site images/CSS/JavaScript, and improvements to performance.

While Drupal does recommend updating Drupal 7.x sites to Drupal 7.50, users should note that there are still "a couple of changes that might need your attention during the update." More details can be found in the official Drupal 7.50 release announcement here.

Drupal 7.44 — Security Update

Drupal 7.44 is a security update for all pervious versions of the 7.x series prior to 7.44. This update fixes a security vulnerability rated at 11/25, and classified as "moderately critical" by the Drupal Core team. According to the official security release, a vulnerability in the User module could allow a malicious attacker the ability to create a user that is granted all roles on the site, including but not limited to gaining admin access. In order to exploit this vulnerability, an attacker would need to contribute custom code to perform a form rebuild. For more information on this security patch, as well as the corresponding security update for the 8.x series, read the official release notes here.

Drupal 7.43 — Security Update

Drupal 7.43 is an important security update to the 7x series that is classified as a "critical" update by the Drupal Security Team: it fixes multiple vulnerabilities. Chiefly addressed are three different regressions identified in the core, including issues with the Webform module and the File Resumable Upload module. These are outlined in detail in the SA-CORE-2016-001 security advisory. While most of these issues are, individually, classified as "moderately critical," the combination of them has caused the team to give the overall update a higher classification of urgency. Users are encouraged to update immediately to close these vulnerabilities. For more information, read the Drupal 7.43 release notes here.

Drupal 7.42 — Maintenance Update

Drupal version 8.0.3 and 7.4.2 have been characterized by the Drupal team as "maintenance releases with numerous bug fixes." These are maintenance releases only; there are "no security fixes." Drupal 8.0.3 "contains bug fixes and documentation and testing improvements only." While the update for 7.42 has a handful of minor feature tweaks and simple bug fixes. For more information, read the official release announcement here.

Drupal 7.41 — Security Update

Drupal 7.41 is a security release that addresses an error in the overlay module in the Drupal core. According to the SA-CORE-2015-004 advisory, "The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability." Users should not be overly concerned, however, as the Drupal Security Team has classified this vulnerability as "Less Critical." However, you are always recommended to install proper updates to mitigate potential security vulnerabilities. More information can be found in the official security announcement here.

Drupal 7.40 — Maintenance Update

Drupal 7.40 is a maintenance release that addresses several bugs and introduces a handful of new features and API improvements. The full release notes for these new updates and features can be found here.

Drupal 7.39 and 6.37 — Security Update

Drupal 7.39 and 6.37 are both security updates for vulnerabilities listed in official security advisory: SA-CORE-2015-003. This update is rated as "Critical" by the Drupal Security Team. This release addresses several security issues, including a cross-site scripting vulnerability with Ajax, a cross-site scripting vulnerability with the autocomplete system, a SQL injection database API issue, and several other fixes. For more information on the release, read the official security announcement here.

Drupal 7.38 and 6.36 — Security Update

Drupal 7.38 and 6.36 are both security updates that "were released in response to the discovery of security vulnerabilities." This are security updates only. There are no new features in these releases. For more information, read the 7.38 official release announcement here, and the respective changelog release notes for Drupal 7.38 and 6.36. Multiple critical vulnerabilities are addressed in this release, and users are urged to update as soon as possible. A full list of the security vulnerabilities discovered can be found in the SA-CORE-2015-002 security advisory.

Drupal 7.37 — Maintenance Update

Drupal 7.37 is a maintenance release with several small bug fixes that address "small API / feature improvements only." For more information, read the 7.37 official release announcement here, and changelog release notes here.

Drupal 7.36 — Maintenance Update

Drupal 7.36 is a maintenance release that addresses several bug fixes, while adding a few new small API and feature improvements. This is a maintenance release only. There are no security issues addressed in this update. More information about Drupal 7.36 can be found here.

Drupal 7.35 and 6.35 — Security Update

Drupal versions 7.35 and 6.35 addresses multiple vulnerabilities identified in the Drupal Core. Specifically, the update closes a vulnerability where "password reset URLs could be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password." Additionally, the update addresses an open redirect vulnerability involving the destination query string parameter. These security issues are rated "Moderately Critical" by the Drupal Security Team. Users are encouraged to update to this security patch as early as possible. More information can be found here.

Drupal 7.34 and 6.34 — Security Update

Drupal versions 7.34 and 6.34 address multiple vulnerabilities and fixes a session hijacking bug that would allow an attacker to takeover a random session by a user. The 7.34 update also includes a fix for an issue that could lead to a potential denial of service attack. Users are recommended to update immediately to mitigate the possibility of attacks through these vulnerabilities. Read our detailed News Item for more information on this update here.

Drupal 7.32 — Security Update

Drupal version 7.32 addresses critical security vulnerabilities and fixes the SQL injection bug discovered in the 7.x series. The Drupal Security team rates the SQL injection vulnerability as "Highly Critical," and "strongly recommends" anyone running a Drupal 7.x version prior to 7.32 to update immediately in order to close this vulnerability. Read our detailed News Item on this update here.

Drupal 7.31 and 6.33 — Security Update

Drupal versions 7.31 and 6.33 are updates to the 7.x and 6.x series that address a "major security vulnerability" which takes use of an "XML Quadratic Blowup Attack." The Drupal and WordPress security teams worked in tandem on a fix, as the vulnerability affected both platforms. We recommend users update to Drupal 7.31 or 6.33 (respectively) immediately to mitigate potential attacks that make use of this vulnerability. Read our detailed News Item on this update here.

Drupal 7.28 — Maintenance Update
Drupal 7.28 is a maintenance release only. There are no security fixes addressed in this update. According to Drupal.org, this version "contains bug fixes and small API/feature improvements only." You can read the release information here, and the detailed release notes that list changes from version 7.27 here.

Drupal 7.27 and 6.31 — Security Update
The release of Drupal 7.27 and 6.31 resolves several security vulnerabilities in the Drupal core platform for both 7x and 6x installations. The potential risks fixed with this update are classified as "Moderately Critical" by the Drupal Core Team. For more information on this security release, read our full news post here.

Drupal 7.26 — Security Update
Drupal 7.26 is a security release that addresses several issues, including a vulnerability in the Open ID module that allowed malicious users to hijack administrator's accounts. Several other security fixes have been made in this release, and Drupal 7x users are encouraged to update immediately. Full details on Drupal 7.26 may be found here.

Drupal 7.25 — Security Update
Drupal 7.25 is a maintenance update only. There are no security fixes in this release. Drupal 7.25 includes bug fixes and small API/feature improvements only. The Drupal.org website says all "significant new features are only being added to the forthcoming Drupal 8.0 release." Full info on Drupal 7.25 may be found here.

Drupal 7.24 — Security Update
Drupal 7.24 is an important security update that fixes multiple vulnerabilities due to "optimistic cross-site request forgery" and "weakness in pseudorandom number generation," among others. Specific security fixes can be found in the log here, and other 7.24 information can be found in the release notes here.

Drupal 7.23 — Maintenance Update
This version of Drupal is a maintenance update only. There are no security fixes in this release. Drupal 7.23 includes bug fixes and a few minor functionality issues. The Drupal.org website says all "significant new features are only being added to the forthcoming Drupal 8.0 release." Full info on Drupal 7.23 may be found here.

Drupal 7.22 to 7.20 — Security Update
According to the Drupal.org website, "7.20 fixed a fundamental security flaw in the Drupal core Image module and therefore introduced incompatibilities with a number of contributed modules and sites." Drupal 7.21 is reported to have fixed those major incompatibilities. The 7.22 release was comprised of bug fixes only, not related to security.

Drupal 7.15 to 7.0 — Insecure
These versions of Drupal have core vulnerabilities including denial of service, invalidated form redirect, and multiple access bypass problems. Sites using these versions should upgrade as soon as possible.

Drupal 6.26 — Legacy
Drupal 6.26 is a stable version of Drupal with all of the current bugfixes. However, Drupal is no longer adding any new features to it. You should consider upgrading your website to Drupal 7.x in order to get the most possible out of your website.

Drupal 6.25 to 6.0 — Insecure
These versions of Drupal either have known bugs or are insecure. They are vulnerable to Cross Site Request Forgery and their OpenID does not verify all the sign in information. Anyone on one of these Drupal versions should upgrade as soon as possible.

Drupal 5.23 — Legacy
Drupal 5.23 is a stable version of Drupal that has all fixes for security vulnerabilities and bugs. However, Drupal no longer is adding any new features to it. In order to get the most out of your Drupal website, you should consider upgrading to Drupal 7.14.

Drupal 5.22 to 5.0 — Insecure
These versions of Drupal have known security issues and bugs, specifically the OpenID module which does not verify all log in information. Anyone on one of these Drupal versions should upgrade as soon as possible.

Drupal 4.7.11 — Legacy
Drupal 4.7.11 is a stable version, but Drupal is no longer adding any new features to it. You should consider upgrading to Drupal 7.14 to get the most out of your Drupal website.

Drupal 4.7.10 and under — Insecure
These versions have many known security vulnerabilities and bugs. For your website’s security and function, please upgrade immediately.

Don't See Your Version Here? You Need To Upgrade
If you do not see your version of Drupal here, you should upgrade immediately for the latest security and performance benefits. Certain older versions of Drupal may contain critical security vulnerabilities.